data/osv/GO-2024-2682.json

{
  "schema_version": "1.3.1",
  "id": "GO-2024-2682",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2024-22189",
    "GHSA-c33x-xqrf-c478"
  ],
  "summary": "Denial of service via connection starvation in github.com/quic-go/quic-go",
  "details": "An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.",
  "affected": [
    {
      "package": {
        "name": "github.com/quic-go/quic-go",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.42.0"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/quic-go/quic-go",
            "symbols": [
              "Dial",
              "DialAddr",
              "DialAddrEarly",
              "DialEarly",
              "Listen",
              "ListenAddr",
              "ListenAddrEarly",
              "ListenEarly",
              "Transport.Dial",
              "Transport.DialEarly",
              "Transport.Listen",
              "Transport.ListenEarly",
              "connIDGenerator.Retire",
              "connIDGenerator.SetMaxActiveConnIDs",
              "connIDManager.Add",
              "connIDManager.Get",
              "connection.AcceptStream",
              "connection.AcceptUniStream",
              "connection.OpenStream",
              "connection.OpenStreamSync",
              "connection.OpenUniStream",
              "connection.OpenUniStreamSync",
              "connection.run",
              "framerI.AppendStreamFrames",
              "framerI.QueueControlFrame",
              "packetPacker.AppendPacket",
              "packetPacker.MaybePackProbePacket",
              "packetPacker.PackAckOnlyPacket",
              "packetPacker.PackApplicationClose",
              "packetPacker.PackCoalescedPacket",
              "packetPacker.PackConnectionClose",
              "packetPacker.PackMTUProbePacket",
              "receiveStream.CancelRead",
              "receiveStream.CloseRemote",
              "receiveStream.Read",
              "sendStream.CancelWrite",
              "streamsMap.AcceptStream",
              "streamsMap.AcceptUniStream",
              "streamsMap.DeleteStream",
              "streamsMap.HandleMaxStreamsFrame",
              "streamsMap.OpenStream",
              "streamsMap.OpenStreamSync",
              "streamsMap.OpenUniStream",
              "streamsMap.OpenUniStreamSync",
              "streamsMap.UpdateLimits",
              "windowUpdateQueue.QueueAll"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a"
    },
    {
      "type": "WEB",
      "url": "https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management"
    }
  ],
  "credits": [
    {
      "name": "marten-seemann"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2024-2682"
  }
}